I received a suspicious email with a very weird-looking attachment. It keeps on asking me to “enable macros”. What are those?
A little bit of Theory
In general, a
Macro is a way of mapping input to a replaced output. For example, you can use macros with keyboard macros, where you press one key that is mapped to a time-intensive sequence of keystrokes. However, for this TryHackMe room, we are looking at specifically Office Macros. They are like small written programs used to automate tasks that have to be done often. They are written in Visual Basic. This functionality can lead to some servere security problems. Attackers might use macros to trick users into running malicious code. This is especially dangerous and often used with Phishing attacks. Phishing attacks use different forms of electronic communication (mainly emails) to trick users. It falls under Social Engineering which is less technical and more focused on human behaviour. You can find a lot more information regarding these topics on the internet. A short, precise explanation is provided by Microsoft’s learning platform: Macro malware and Phishing.
XOR is a logical operation in binary. In mathematics, it is an exclusive or. With any of these logic gates, there is a table that describes the operation:
|A||B||A XOR B|
We first need to find the code of the macro then we need to analyse the macro.
Find the Macro
- Start Machine and use Split Screen
- Navigate to the ‘/home/ubuntu/mrphisher’ folder
- Open ‘MrPhisher.docm’ file with Libre Office Writer Now we can analyse the file and see what macros are included:
- Go to ‘Tools -> Macros -> Edit Macros’
- Search for macros in the folders: -> Under ‘MrPhisher.docm -> Project -> Modules -> New Macros’ we find a macro
Analyse the Macro
The macro has the following code:
Now, I have never worked with Visual Basics, but I can still guess what is happening in the code with my knowledge of other programming languages. We have an array ‘a’ with decimal values. Then there is a for-loop that iterates over the array, where the decimal from the array is XORed with the iterator and appended to a string. So this looks like an encoding of a string, which might be the flag.
What I did is write a python program that performs the exact steps to see the decoded text. This could also be done by hand - which would require an extra step of transformation to binary to do the xor operation.
My python code looks like this:
Running it will output a string that is indeed the flag: